{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0949", "assignerOrgId": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "state": "PUBLISHED", "assignerShortName": "EDB", "dateReserved": "2026-01-14T16:55:03.874Z", "datePublished": "2026-01-16T16:29:42.134Z", "dateUpdated": "2026-01-16T16:49:37.156Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "shortName": "EDB", "dateUpdated": "2026-01-16T16:29:42.134Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "affected": [{"vendor": "EnterpriseDB", "product": "Postgres Enterprise Manager (PEM)", "versions": [{"version": "9", "status": "affected", "lessThan": "9.8.1", "versionType": "custom"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "INTERNAL"}, "references": [{"url": "https://www.enterprisedb.com/docs/security/advisories/cve20260949/"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T16:49:16.831356Z", "id": "CVE-2026-0949", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T16:49:37.156Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0949", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T16:49:16.831356Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T16:49:28.968Z"}}], "cna": {"source": {"discovery": "INTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "EnterpriseDB", "product": "Postgres Enterprise Manager (PEM)", "versions": [{"status": "affected", "version": "9", "lessThan": "9.8.1", "versionType": "custom"}], "defaultStatus": "affected"}], "references": [{"url": "https://www.enterprisedb.com/docs/security/advisories/cve20260949/"}], "descriptions": [{"lang": "en", "value": "PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "shortName": "EDB", "dateUpdated": "2026-01-16T16:29:42.134Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0949", "state": "PUBLISHED", "dateUpdated": "2026-01-16T16:49:37.156Z", "dateReserved": "2026-01-14T16:55:03.874Z", "assignerOrgId": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "datePublished": "2026-01-16T16:29:42.134Z", "assignerShortName": "EDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:enterprisedb:postgres_enterprise_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "36756BDF-F614-4035-B6CC-1BED2359F574", "versionEndExcluding": "9.8.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PEM versions prior to 9.8.1 are affected by a stored Cross-site Scripting (XSS) vulnerability that allows users with access to the Manage Charts menu to inject arbitrary JavaScript when creating a new chart, which is then executed by any user accessing the chart. By default only the superuser and users with pem_admin or pem_super_admin privileges are able to access the Manage Charts menu."}], "id": "CVE-2026-0949", "lastModified": "2026-02-10T17:25:39.597", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.2, "source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-16T17:15:54.047", "references": [{"source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "tags": ["Vendor Advisory"], "url": "https://www.enterprisedb.com/docs/security/advisories/cve20260949/"}], "sourceIdentifier": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "20be33e2-bf35-4d13-8fad-18bd2f3e3659", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:45:03.696637+00:00", "value": {"mitigation_remediation": ["Upgrade PostgreSQL Enterprise Manager to version 9.8.1 or later, which removes the XSS flaw.", "Restrict the Manage Charts menu to only those accounts that absolutely need it, removing any unnecessary pem_admin or pem_super_admin privileges.", "Continuously monitor chart logs and user activity for unexpected script entries, and enforce strict input sanitization or a content\u2011security policy to mitigate future script injection attempts."], "summary": {"action": "Apply Upgrade", "impact": "Stored Cross\u2011Site Scripting (XSS) that allows arbitrary JavaScript execution by privileged users"}, "threat_synthesis": {"affected_systems": "EnterpriseDB Postgres Enterprise Manager, all releases earlier than version 9.8.1, accessed via the Manage Charts feature.", "description_and_impact": "PEM versions before 9.8.1 contain a stored Cross\u2011Site Scripting flaw that permits users who can create charts in the Manage Charts menu to inject malicious JavaScript. When a chart is viewed, the injected script runs in the victim\u2019s browser. Because only the superuser and users with pem_admin or pem_super_admin roles can create charts, the impact is limited to these high\u2011privilege accounts but can affect any other user who opens the compromised chart, potentially exposing session data or enabling further attacks.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5 and an EPSS of less than 1\u202f%, indicating moderate severity but low expected exploit frequency. It is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access with pem_admin or pem_super_admin rights to create a chart, after which any user who subsequently opens the chart will have the attacker\u2019s script executed. In typical deployments the attack surface is internal, but compromised privileged credentials or social\u2011engineering could provide the necessary access."}}}}, "created": "2026-01-19T09:20:41.058819+00:00", "title": "Stored XSS in EnterpriseDB Postgres Enterprise Manager via Manage Charts Menu", "updated": "2026-04-18T05:45:38.179482+00:00", "vendors": ["enterprisedb", "enterprisedb$PRODUCT$postgres_enterprise_manager"]}